Privacy Enhancing Deep Learning Cloud Service Using a Trusted Execution Environment

ABSTRACT

Mechanisms are provided to implement an enhanced privacy deep learning system framework (hereafter “framework”). The framework receives, from a client computing device, an encrypted first subnet model of a neural network, where the first subnet model is one partition of multiple partitions of the neural network. The framework loads the encrypted first subnet model into a trusted execution environment (TEE) of the framework, decrypts the first subnet model, within the TEE, and executes the first subnet model within the TEE. The framework receives encrypted input data from the client computing device, loads the encrypted input data into the TEE, decrypts the input data, and processes the input data in the TEE using the first subnet model executing within the TEE.

BACKGROUND

The present application relates generally to an improved data processingapparatus and method and more specifically to mechanisms for enhancingdata privacy in deep learning cloud services by utilizing a trustedexecution environment.

Deep learning systems have been widely deployed as part of artificialintelligence (AI) services due to their ability to approach humanperformance when performing cognitive tasks. Deep learning is a class ofmachine learning technology that uses a cascade of multiple layers ofnonlinear processing units for feature extraction and transformation.Each successive layer uses the output from the previous layer of input.The deep learning system is trained using supervised, e.g.,classification, and/or unsupervised, e.g., pattern analysis, learningmechanisms. The learning may be performed with regard to multiple levelsof representations that correspond to different levels of abstraction,with the levels forming a hierarchy of concepts.

Most modern deep learning models are based on an artificial neuralnetwork, although they can also include propositional formulas or latentvariables organized layer-wise in deep generative models such as thenodes in Deep Belief Networks and Deep Boltzmann Machines. In deeplearning, each level learns to transform its input data into a slightlymore abstract and composite representation. In an facial imagerecognition application, for example, the raw input may be a matrix ofpixels with the first representational layer abstracting the pixels andencoding edges, the second layer composing and encoding arrangements ofedges, the third layer encoding a nose and eyes, and the fourth layerrecognizing that the image contains a face. Importantly, a deep learningprocess can learn which features to optimally place in which level onits own, but this does not completely obviate the need for hand-tuning.For example, hand tuning may be used to vary the number of layers andlayer sizes so as to provide different degrees of abstraction.

The “deep” in “deep learning” refers to the number of layers throughwhich the data is transformed. More precisely, deep learning systemshave a substantial credit assignment path (CAP) depth. The CAP is thechain of transformations from input to output. CAPs describe potentiallycausal connections between input and output. For a feedforward neuralnetwork, the depth of the CAPs is that of the network and is the numberof hidden layers plus one (as the output layer is also parameterized).For recurrent neural networks, in which a signal may propagate through alayer more than once, the CAP depth is potentially unlimited. Nouniversally agreed upon threshold of depth divides shallow learning fromdeep learning, but most researchers agree that deep learning involves aCAP depth greater than 2. CAP of depth 2 has been shown to be auniversal approximator in the sense that it can emulate any function.Beyond that, more layers do not add to the function approximator abilityof the network, but the extra layers help in learning features.

SUMMARY

This Summary is provided to introduce a selection of concepts in asimplified form that are further described herein in the DetailedDescription. This Summary is not intended to identify key factors oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter.

In one illustrative embodiment, a method, in a data processing systemcomprising at least one processor and at least one memory, the at leastone memory comprising instructions that are executed by the at least oneprocessor to configure the at least one processor to implement anenhanced privacy deep learning system framework. The method comprisesreceiving, by the enhanced privacy deep learning system framework from aclient computing device, an encrypted first subnet model of a neuralnetwork, where the first subnet model is one partition of multiplepartitions of the neural network. The method further comprises loading,by the enhanced privacy deep learning system framework, the encryptedfirst subnet model into a trusted execution environment of the enhancedprivacy deep learning system framework. Moreover, the method comprisesdecrypting, by the enhanced privacy deep learning system framework, thefirst subnet model within the trusted execution environment andexecuting the first subnet model within the trusted executionenvironment. In addition, the method comprises receiving, by theenhanced privacy deep learning system framework, encrypted input datafrom the client computing device, and loading, by the enhanced privacydeep learning system framework, the encrypted input data into thetrusted execution environment. Furthermore, the method comprisesdecrypting and processing, by the enhanced privacy deep learning systemframework, the input data in the trusted execution environment using thefirst subnet model executing within the trusted execution environment.

In other illustrative embodiments, a computer program product comprisinga computer useable or readable medium having a computer readable programis provided. The computer readable program, when executed on a computingdevice, causes the computing device to perform various ones of, andcombinations of, the operations outlined above with regard to the methodillustrative embodiment.

In yet another illustrative embodiment, a system/apparatus is provided.The system/apparatus may comprise one or more processors and a memorycoupled to the one or more processors. The memory may compriseinstructions which, when executed by the one or more processors, causethe one or more processors to perform various ones of, and combinationsof, the operations outlined above with regard to the method illustrativeembodiment.

These and other features and advantages of the present invention will bedescribed in, or will become apparent to those of ordinary skill in theart in view of, the following detailed description of the exampleembodiments of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention, as well as a preferred mode of use and further objectivesand advantages thereof, will best be understood by reference to thefollowing detailed description of illustrative embodiments when read inconjunction with the accompanying drawings, wherein:

FIG. 1 is an example diagram outlining an algorithm for implementingprivacy-enhancing deep neural network (DNN) classification in a privacyenhancing deep learning cloud service in accordance with oneillustrative embodiment;

FIG. 2 is a block diagram outlining an example interaction betweenmultiple components of a privacy enhancing deep learning cloud servicein accordance with one illustrative embodiment;

FIG. 3 is an example diagram illustrating a dual convolutional neuralnetwork architecture for a neural network assessment framework of anautomated partitioning tool in accordance with one illustrativeembodiment;

FIG. 4 depicts a pictorial representation of an example distributed dataprocessing system in which aspects of the illustrative embodiments maybe implemented;

FIG. 5 is a block diagram of one example data processing system in whichaspects of the illustrative embodiments may be implemented;

FIG. 6 is a flowchart outlining an example operation for configuring andutilizing a privacy enhancing deep learning cloud computing service inaccordance with one illustrative embodiment;

FIG. 7 depicts a cloud computing environment according to an embodimentof the present invention; and

FIG. 8 depicts abstraction model layers according to an embodiment ofthe present invention.

DETAILED DESCRIPTION

While deep learning, or artificial intelligence (AI), systems andservices utilize deep learning systems as part of their backend engines,concerns still exist regarding the confidentiality of the end users'provisioned input data, even for those reputable deep learning or AIservice providers. That is, there is concern that accidental disclosureof sensitive user data might unexpectedly happen due to securitybreaches, exploited vulnerabilities, neglect, or insiders.

Deep learning, or AI, cloud providers generally offer two independentdeep learning (DL) services, i.e., training and inference. End users canbuild customized DL models from scratch by feeding training serviceswith their own training data. In cases where the end users do notpossess enough training data, they can also leverage transfer learningtechniques to repurpose and retrain existing models targeting similartasks. After obtaining their trained models, end users can upload themodels, which are in the form of hyperparameters and weights of deepneural networks (DNNs), to inference services (which might be hosted bydifferent AI service providers as of training services) to bootstraptheir AI cloud application programming interfaces (APIs). These APIs canbe further integrated into mobile or desktop applications. At runtime,end users can invoke the remote APIs with their input data and receiveprediction results from inference services.

Although end users always expect that service providers should betrustworthy and dependable, they may still have some concerns about thedata privacy of their inputs. Accidental disclosures of confidentialdata might unexpectedly occur due to malicious attacks, mis-operationsby negligent system administrators, or data thefts conducted byinsiders. Adversaries with escalated privileges may be able to extractsensitive data from disks (data-at-rest) or from main memory (runtimedata). Numerous data breaches of these types have been observed inrecent years. Similar incidents can also happen to user input data forAI cloud services. In addition, deep learning is often differentiated byprocessing raw input data, such as images, audio, and video, as opposedto hand-crafted features. This poses more privacy concerns if the inputdata is leaked or compromised.

The illustrative embodiments provide a privacy enhancing mechanism tomitigate sensitive information disclosure in deep learning systems, alsoreferred to as deep learning inference pipelines. The illustrativeembodiments partition deep learning inference pipelines into a FrontNetneural network model (referred to herein as a “FrontNet”) and a BackNetneural network model (referred to herein as a “BackNet”), leveragingtrusted execution environment techniques on cloud infrastructures tocryptographically protect the confidentiality and integrity of userinputs in the FrontNet model. The illustrative embodiments allow usersto define the partition point between FrontNet and BackNet. In someillustrative embodiments, automated mechanisms are provided to allow forautomated determination of the partition point between FrontNet andBackNet such that there is a balance between the privacy protection ofthe user inputs and the performance requirements of the deep learninginference pipeline. The resulting privacy enhancing mechanism of theillustrative embodiments achieves a maximum privacy guarantee withacceptable performance overhead.

Based on the layered structure of deep learning inference pipelines, ordeep learning neural networks, the illustrative embodiments partitionthe deep learning neural network into two independent subnet models, asnoted above, which are referred to as a FrontNet and a BackNet,respectively. Mathematically, a deep neural network (DNN) can be definedas a function F* that maps the input x to the output y, i.e., y=F*(x;θ), where θ stands for the parameters that are learned in the trainingphase when training the DNN. The function F* is composed of n (assumingthe network has n layers) sub-functions D_(i) where i ∈ [1, n]. F_(i)maps the input x_(i) to the output y_(i) on Layer i. These sub-functionsare connected in a chain. Thus, y=F*(x; θ)=F_(n)F_(n−1) . . . F₁(x).After partitioning the DNN at the m-th layer where m ∈ [1, n], thefunction for the FrontNet subnet model can be represented as Φ: X→IR. Xis the input space applicable for a specific deep neural network and IRis the output space for the intermediate representations (IRs).

-   IR=Φ(x; θ_(Φ))=F_(m)F_(m−1) . . . F₁(x) and its output IR is the    intermediate representation (intermediate feature maps) computed out    of the FrontNet subnet model. The function λ for the BackNet subnet    model is-   λ(IR; θ_(λ))=F_(n)F_(n−1) . . . F_(m+1)(IR), in which IR is the    input to the BackNet subnet model from the FrontNet subnet model.

It is assumed that the adversaries that may try to gain unauthorizedaccess to the end users input to the FrontNet subnet model may have somebackground knowledge B for reconstructing the sensitive original inputx. The background knowledge includes: (1) the domain knowledge of userinputs, e.g., input file types, natural image priors; (2) the knowledgeof the distribution of all bits of x, which can be described by aprobability matrix P={ . . . , p_(ij), . . . }, where p_(ij) is theprobability that the i-th bit of x takes the value j, 1≤i≤|x| and j ∈ Ω,where Ω is the encoding alphabet, and ∀i, Σ j p_(ij)=1.

Adversaries aim to reconstruct the inference input x: given an IR ∈ IRof x, and the background knowledge B. Adversaries can devise an attackstrategy A to return {tilde over (x)}, the reconstructed version of x.The attack strategy A can span from visually perceiving the intermediaterepresentations to leveraging advanced input reconstruction techniquesby approximating the inverse model. The FrontNet subnet modelrepresentation function Φ(⋅) is considered to violate the ε-privacy forx, if there exists an attack A, background knowledge B, and intermediaterepresentation IR,

$\begin{matrix}{{\frac{{dist}\lbrack {x,{\overset{\sim}{x}❘ \overset{\sim}{x}arrow{A( {B,{Ir}} )} }} \rbrack}{{dist}\lbrack {x,{\overset{\sim}{x}❘ \overset{\sim}{x}arrow{A(B)} }} \rbrack} \leq ɛ};} & (1)\end{matrix}$

where ε is the privacy parameter to bound the distances between x and{tilde over (x)} before and after observing IR and ε ∈[0 1]. The distmeasures the distance between an original input x and a reconstructedinput {tilde over (x)}. Specifically, dist[x, {tilde over (x)}|{tildeover (x)}←(B)] considers that {tilde over (x)} is reconstructed onlybased on the adversaries' background knowledge B, whereas in dist[x,{tilde over (x)}|{tilde over (x)}←A(B, IR)], {tilde over (x)} isreconstructed based on both the adversaries' background knowledge B andthe observed IR. Equation 1 states that the privacy of the trueinference input x is breached if adversaries can significantly reducethe distance between {tilde over ( )}x and x after obtaining theintermediate representation IR of x.

As defined above, the representation function for a FrontNet subnet modeis IR=Φ(x; θ_(Φ)) and a BackNet is y*=λ(Φ(x; θ_(Φ)); θ_(λ)). Theparameter θ of the original DNN is divided into θ_(Φ) and θ_(λ)according to the network partition. The output shape of a FrontNetsubnet model is compatible with the input shape of its correspondingBackNet subnet model. IR is delivered as an output for the FrontNetsubnet model and is an input to the subsequent BackNet subnet modelwhich continues the computation to get a result y*. Given the same inputx, it is expected that y* should be equivalent to y, which is the outputof the original DNN before the partition.

On the cloud side, the FrontNet subnet model (or simply “FrontNet”), andinputs from end users, are loaded into a Trusted Execution Environment(TEE) that can guarantee the confidentiality, integrity, and freshnessof the protected memory for secure remote computation. In oneillustrative embodiment, the TEE may be provided by an implementation ofthe Intel SGX enclave. However, the illustrative embodiments are notlimited to SGX enclave and may be implemented with any suitable TEE,such as Protected Execution Facility for IBM Power Systems, and SecureService Container for IBM Z Systems, ARM TrustZone, and AMD SecureMemory Encryption and Secure Encrypted Virtualization, for example. Withthe protection of the memory access control mechanism and memoryencryption engine (MEE) of the TEE, all non-TEE accesses from privilegedsystem software or other untrusted components of systems will be denied.Thus, the computational process of the user inputs with the FrontNet iskept within the perimeter of a specific CPU package and is invisible tothe external world. The computation within an TEE is still naturallydedicated to distilling features for specific inference tasks, justexhibiting the same behaviors as its counterpart running outside of theTEE. Furthermore, the TEE can attest to remote parties (i.e., the endusers of AI cloud services) that the FrontNet is running in a secureenvironment hosted by a trusted hardware platform.

In order to protect the contents of user inputs from being exposed oncloud servers, end users may encrypt inputs with their symmetric keysand upload the encrypted files to cloud services. After finishing theremote attestation with the TEE, end users can provision the symmetrickeys to the TEE via a secure communication channel. The mechanismsinside the TEE then decrypt the user inputs and pass the inputs to theFrontNet subnet model, which has been loaded in the same TEE. Inaddition, the illustrative embodiments may leverage an authenticatedencryption mechanism, such as the Galois Counter Mode (GCM) for example,or any of a variety of other authenticated encryption mechanisms, toachieve authenticated encryption. Thus, the illustrative embodiments canauthenticate legitimate end users and render service abusing attacksineffective. For adversaries who tend to treat the TEE implementedFrontNet subnet model as a black-box service and use queries to extractmodel information, they would need to encrypt their inputs with theproper symmetric keys from the legitimate end users. Assuming that endusers' keys are not leaked, the illustrative embodiments can denyserving these illegitimate requests that fail the integrity check andprevent the leakage of the FrontNet subnet model information, which isconsidered to be crucial for reconstructing user inputs. By protectingthe confidentiality of both user inputs and the FrontNet subnet modelvia encryption and the implementation of the FrontNet subnet model inthe TEE, all state-of-the-art input reconstruction methods will nolonger be effective.

Before beginning the discussion of the various aspects of theillustrative embodiments, it should first be appreciated that throughoutthis description the term “mechanism” will be used to refer to elementsof the present invention that perform various operations, functions, andthe like. A “mechanism,” as the term is used herein, may be animplementation of the functions or aspects of the illustrativeembodiments in the form of an apparatus, a procedure, or a computerprogram product. In the case of a procedure, the procedure isimplemented by one or more devices, apparatus, computers, dataprocessing systems, or the like. In the case of a computer programproduct, the logic represented by computer code or instructions embodiedin or on the computer program product is executed by one or morehardware devices in order to implement the functionality or perform theoperations associated with the specific “mechanism.” Thus, themechanisms described herein may be implemented as specialized hardware,software executing on general purpose hardware, software instructionsstored on a medium such that the instructions are readily executable byspecialized or general purpose hardware, a procedure or method forexecuting the functions, or a combination of any of the above.

The present description and claims may make use of the terms “a”, “atleast one of”, and “one or more of” with regard to particular featuresand elements of the illustrative embodiments. It should be appreciatedthat these terms and phrases are intended to state that there is atleast one of the particular feature or element present in the particularillustrative embodiment, but that more than one can also be present.That is, these terms/phrases are not intended to limit the descriptionor claims to a single feature/element being present or require that aplurality of such features/elements be present. To the contrary, theseterms/phrases only require at least a single feature/element with thepossibility of a plurality of such features/elements being within thescope of the description and claims.

Moreover, it should be appreciated that the use of the term “engine,” ifused herein with regard to describing embodiments and features of theinvention, is not intended to be limiting of any particularimplementation for accomplishing and/or performing the actions, steps,processes, etc., attributable to and/or performed by the engine. Anengine may be, but is not limited to, software, hardware and/or firmwareor any combination thereof that performs the specified functionsincluding, but not limited to, any use of a general and/or specializedprocessor in combination with appropriate software loaded or stored in amachine readable memory and executed by the processor. Further, any nameassociated with a particular engine is, unless otherwise specified, forpurposes of convenience of reference and not intended to be limiting toa specific implementation. Additionally, any functionality attributed toan engine may be equally performed by multiple engines, incorporatedinto and/or combined with the functionality of another engine of thesame or different type, or distributed across one or more engines ofvarious configurations.

In addition, it should be appreciated that the following descriptionuses a plurality of various examples for various elements of theillustrative embodiments to further illustrate example implementationsof the illustrative embodiments and to aid in the understanding of themechanisms of the illustrative embodiments. These examples intended tobe non-limiting and are not exhaustive of the various possibilities forimplementing the mechanisms of the illustrative embodiments. It will beapparent to those of ordinary skill in the art in view of the presentdescription that there are many other alternative implementations forthese various elements that may be utilized in addition to, or inreplacement of, the examples provided herein without departing from thespirit and scope of the present invention.

The present invention may be a system, a method, and/or a computerprogram product. The computer program product may include a computerreadable storage medium (or media) having computer readable programinstructions thereon for causing a processor to carry out aspects of thepresent invention.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein, is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic waves propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switches, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for carrying out operations ofthe present invention may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data, or either source code or object code written in anycombination of one or more programming languages, including an objectoriented programming language such as Java, Smalltalk, C++ or the like,and conventional procedural programming languages, such as the “C”programming language or similar programming languages. The computerreadable program instructions may execute entirely on the user'scomputer, partly on the user's computer, as a stand-alone softwarepackage, partly on the user's computer and partly on a remote computeror entirely on the remote computer or server. In the latter scenario,the remote computer may be connected to the user's computer through anytype of network, including a local area network (LAN) or a wide areanetwork (WAN), or the connection may be made to an external computer(for example, through the Internet using an Internet Service Provider).In some embodiments, electronic circuitry including, for example,programmable logic circuitry, field-programmable gate arrays (FPGA), orprogrammable logic arrays (PLA) may execute the computer readableprogram instructions by utilizing state information of the computerreadable program instructions to personalize the electronic circuitry,in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of theinvention. It will be understood that each block of the flowchartillustrations and/or block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowchart and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods, and computer program products according to variousembodiments of the present invention. In this regard, each block in theflowchart or block diagrams may represent a module, segment, or portionof instructions, which comprises one or more executable instructions forimplementing the specified logical function(s). In some alternativeimplementations, the functions noted in the block may occur out of theorder noted in the figures. For example, two blocks shown in successionmay, in fact, be executed substantially concurrently, or the blocks maysometimes be executed in the reverse order, depending upon thefunctionality involved. It will also be noted that each block of theblock diagrams and/or flowchart illustration, and combinations of blocksin the block diagrams and/or flowchart illustration, can be implementedby special purpose hardware-based systems that perform the specifiedfunctions or acts or carry out combinations of special purpose hardwareand computer instructions.

FIGS. 1 and 2 are example diagrams illustrating one illustrativeembodiment of a privacy enhancing deep learning cloud service inaccordance with one illustrative embodiment. FIG. 1 is an examplediagram outlining an algorithm for implementing privacy-enhancing deeplearning neural network (DNN) classification in a privacy enhancing deeplearning cloud service in accordance with one illustrative embodiment.FIG. 2 is a block diagram outlining an example interaction betweenmultiple components of a privacy enhancing deep learning cloud servicein accordance with one illustrative embodiment. An example operation ofa privacy enhancing deep learning cloud service in accordance with oneillustrative embodiment will be described with reference to both FIGS. 1and 2 hereafter.

As shown in FIGS. 1 and 2, the workflow of an example illustrativeembodiment of a privacy enhancing deep learning cloud service involvesan end user, at a client computing device side (left side of FIG. 2)providing both encrypted inputs and a pre-trained model 200 with anoriginal FrontNet subnet model 105 that is encrypted using a symmetrickey encryption or other encryption methodology to thereby generate theencrypted FrontNet subnet model 210. It should be noted that FIG. 2illustrates the client-side operation as only providing the encryptedFrontNet subnet model 210 and encrypted input data to the privacyenhancing deep learning cloud service (right side of FIG. 2), howeverthis is assuming an embodiment in which the BackNet subnet model 220 hasalready been provided by the client side operation and loaded into theprivacy enhancing deep learning cloud service server computingdevice(s). It should be appreciated that the BackNet subnet model 220need not be encrypted, as previously mentioned above.

Thus, the end user partitions the pre-trained deep learning model 200,e.g., a DNN or other AI model, into a FrontNet subnet model 210 and aBackNet subnet model 220. The point at which the pre-trained deeplearning model (e.g., DNN or other AI model) is partitioned may bedetermined manually by the end user via their client computing device,or by way of an automated mechanism executing on the client computingdevice, such as the automated partitioning mechanism of the illustrativeembodiments as described hereafter. The FrontNet subnet model 210 iskept secret and encrypted with a symmetric key associated with the enduser (step 1 in FIG. 2). As mentioned above, the BackNet subnet model220 need not be protected through such secrecy and encryption andinstead the configuration and weights of the BackNet subnet model 220may be shared with the privacy enhancing deep learning cloud serviceprovider. However, in some illustrative embodiments, the BackNet subnetmodel 220 may also be maintained secret and encrypted either with thesame symmetric key or another encryption key or encryption methodology.In the depicted example, the BackNet subnet model 220 is not secret andencrypted, or executed within the trusted execution environment (TEE)230, due to performance constraints. However, if these performanceconstraints are lifted, or relaxed, it is possible that the parametricdata of the BackNet subnet model 220 may also be protected in a similarmanner to that of the FrontNet subnet model 210. Standard encryptionmechanisms and protocols may be used to protect the BackNet subnet model220 in communication and at rest.

Thus, in some illustrative embodiments, the whole deep neural networkmay be encrypted and executed within a TEE 230. In the depicted exampleembodiments, the deep neural network (DNN) is partitioned due to (1) thememory size limitation of the TEE 230, (2) additional performanceoverhead of code execution in the TEE 230, and (3) there being noadditional privacy benefit by enclosing more layers (beyond the optimalpartitioning point) within the TEE 230. Moreover, by executing theBackNet subnet model 220 outside the TEE 230 in the example embodiments,the framework allows for leveraging the AI-accelerated hardware, e.g.,GPU, to boost the deep learning performance.

In addition to the FrontNet subnet model 210, the end user, at theclient computing device, also encrypts the original inputs 212 with thesymmetric key to generate encrypted input 214 for transmission to theprivacy enhancing deep learning cloud service server computing devicefor processing by the encrypted FrontNet subnet model 210 which willexecute in the TEE 230 (step 1 of FIG. 2). In the depicted example, itis assumed that the privacy enhancing deep learning cloud serviceprovides an image classification service such that the example inputsshown in FIG. 2 are an original image 212 which is then encrypted withthe symmetric key to generate the encrypted image 214 which is actuallytransmitted securely to the privacy enhancing deep learning cloudservice server computing systems (hereafter simply referred to as thedeep learning cloud service).

The end user, via the client computing device, uploads the encryptedFrontNet subnet model 210 to the deep learning cloud service on thecloud (step 2 in FIG. 2). The end user need only provide the encryptedFrontNet subnet model 210 once to the deep learning cloud service inorder to initiate the deep learning cloud service. After providing theFrontNet subnet model 210, the deep learning cloud service loads theFrontNet subnet model 210 into the TEE 230 which executes in a securemanner to process encrypted inputs. Thus, the end user, via the clientcomputing device, can continuously upload encrypted inputs 214 forprocessing by the deep learning cloud service, e.g., upload a pluralityof encrypted images for image classification.

On the cloud side, after receiving the encrypted input 214 and theencrypted FrontNet model 210, the privacy enhancing deep learning cloudservice instantiates a trusted execution environment (TEE) 230. In oneillustrative embodiment, as shown in FIG. 1, the TEE 230 is an Intel SGXenclave that is initiated using the command INIT ENCLAVE at line 17 ofthe pseudocode shown in FIG. 1, and loads the encrypted FrontNet subnetmodel 210 (ENCLAVE_LOAD_ENC_MODEL at line 18 of FIG. 1) into the enclave(TEE 230) (step 3 in FIG. 2). The deep learning cloud service invokesthe deep learning cloud service API function, e.g., the imageclassification API function in this example embodiment(ENCLAVE_INFERENCE_ENC_EVIG at line 19 in FIG. 1), and securely copiesthe encrypted input 214 into the enclave (TEE 230) as the functionargument.

The end user, via the client computing device, and the TEE 230, e.g.,SGX enclave, may perform a remote attestation procedure (step 4 in FIG.2). The TEE 230 (e.g., SGX enclave) can prove to the end user that it isrunning on top of a trusted hardware platform with legitimate code/datafrom a trusted cloud service provider using a standard attestationprotocol. Alternatively, a Transport Layer Security (TLS) session may beinstantiated directly between the end user's client computing device andthe TEE 230.

After creating a secure Transport Layer Security (TLS) communicationchannel, the end user, via the client computing device, can provisionsymmetric keys (ENCLAVE_GET_KEYS at line 5 of FIG. 1) directly into theTEE 230 on the cloud (step 5 in FIG. 2). Inside the TEE 230, theintegrity of both the FrontNet subnet model 210 and the input 214 areverified by checking their GCM authentication tags, for example, orperforming other authentication/verification operations, and theFrontNet subnet model 210 is decrypted (ENCLAVE_DECRYPT at line 6 ofFIG. 1) along with the input 214 (ENCLAVE_DECRYPT at line 10 of FIG. 1)using the provisioned symmetric keys from the end user (step 6 in FIG.2).

A deep neural network 235 is built at the deep learning cloud serviceserver computing system based on the FrontNet subnet model 210(ENCLAVE_LOAD_WEIGHTS at line 7 of FIG. 1), and the deep neural network235 is passed the decrypted input, i.e. the original input 212(ENCLAVE_NETWORK_INFERENCE at line 11 in FIG. 1), to thereby generatethe IR 240 from the processing of the decrypted input 212 by theFrontNet subnet model 210. The generated IR 240 is securely copied outof the TEE 230, or enclave, through a controlled channel of the TEE 230.

Another deep neural network 250 is built based on the BackNet subnetmodel 220 (LOAD_WEIGHTS at line 20 in FIG. 1) (step 7 in FIG. 2). The IR240 is input into the deep neural network 250 built based on the BackNetsubnet model 220 which processes the IR 240 input (step 8 in FIG. 2) anda final analysis result is generated, e.g., a final image classificationresult (NETWORK_INFERENCE at line 21 in FIG. 1) (step 9 in FIG. 2). Insome illustrative embodiments, the final result is an N-dimensionalreal-value vector that represents a probability distribution over Ndifferent possible classes. Based on the desired implementation, theprivacy enhancing deep learning cloud service may select the top-kclasses with their corresponding probabilities to return back to the enduser via their client computing device.

Thus, the privacy enhancing deep learning system, which may beimplemented as a privacy enhancing deep learning cloud service or otherAI based cloud service, via deep neural network model partitioning,encryption, and execution of a FrontNet subnet model of the partitionedmodel in a trusted execution environment, minimizes sensitiveinformation disclosure of user inputs. The partitioning of the deepneural network model exploits the layered compositional networkstructure. The trusted execution environment protects theconfidentiality of both user inputs and the configuration of the deepneural network layers of the FrontNet subnet model. The mechanisms ofthe illustrative embodiments, by design, can render existingstate-of-the-art input reconstruction techniques ineffective, therebyeliminating the channels for adversaries to invert the deep neuralnetworks and reconstruct the inputs to the deep neural networks.

As mentioned previously, one of the features of the illustrativeembodiments is the partitioning of a deep neural network (DNN) into aFrontNet subnet model and a BackNet subnet model. Again, this may be amanual partitioning performed by the end user at their client computingdevice based the end users' determination of the desired level ofprivacy protection. That is, enclosing additional layers of the DNN in atrusted execution environment can provide more privacy protection. Theend user may test the DNN by providing input data and generating allintermediate representations (IRs) for all layers. The end user can theninspect the IRs with human perception to determine at which intermediatelayer of the DNN the IRs do not contain sensitive information anymore.This may then be chosen as the partition point such that the input layerand layers up to and including the layer at which sensitive informationis no longer present are contained in the FrontNet subnet model and theremainder of the DNN is contained in the BackNet subnet model, includingthe output layer.

Alternatively, an automated partitioning tool may be provided by theprivacy enhancing deep learning system of the privacy enhancing deeplearning cloud service or other AI based cloud service, for determiningan optimal partitioning point at which to partition the layers of a deeplearning system, e.g., the deep neural network of the deep learningsystem. The automated partitioning tool may be provided by the cloudservice and may be downloadable to the client computing device for localexecution at the client computing device. In this way, the end users'pre-trained model may be processed by the automated partitioning tool atthe client computing device so as to identify the FrontNet subnet modeland the BackNet subnet model. The client computing device may thenencrypt the FrontNet subnet model and provide both the FrontNet subnetmodel and the BackNet subnet model to the privacy enhancing deeplearning cloud service for instantiation of the FrontNet subnet model inthe trusted execution environment, and the BackNet subnet model outsidethe trusted execution environment.

The automated partitioning tool addresses the problem of determining theoptimal partitioning points for deep neural networks (DNNs) via acomprehensive security analysis. The security analysis simulates twohypothetical adversaries, A1 and A2, within a privacy reconstructionattack framework, where the adversaries tend to uncover the contents oforiginal raw input x after obtaining IRs out of the trusted executionenvironment (TEE). Both adversaries are assumed to have no priorknowledge of input x, i.e., probability matrix P holds the uniformdistribution and

${\forall i},{p_{ij} = \frac{1}{\Omega }},$

but they have different (from weak to strong) attack strategies A:

A1: This adversary is able to view IRs generated out of the FrontNetsubnet model. The strategy A is to pick the IR that reveals the mostinformation of the original input. The information exposure is measuredby assessing IRs at different partitioning layers of a DNN.

A2: In addition to viewing the IRs, this more advanced adversary canfurther master these input reconstruction techniques for deep neuralnetworks. Thus, the strategy A of the adversary is to derive an inversefunction ϕ⁻¹ from Φ and compute {tilde over ( )}x=ϕ⁻¹(IR). Thereconstructed {tilde over ( )}x may leak the information of the originalinput x, however the privacy enhancing deep learning cloud service orother AI based cloud service of the illustrative embodiments, by design,can render such attack ineffective.

It is assumed that the adversary A1 is able to retrieve the IR data ofthe hidden layers located outside of the TEE, i.e. in the BackNet subnetmodel, even though the IRs may only reside in the computer memory.Therefore, it is important to investigate whether this adversary canperceive and infer the contents of the original inputs by viewing theIRs.

In deep neural networks, IRs are organized in the form of stackedfeature maps. Assuming an image processing implementation, the automatedpartitioning tool projects all feature maps back to the pixel space andstores them as IR images. For example, if a convolutional layer of amodel has 64 filters and the output is a 112×112×64 tensor, 64 IR imagesmay be generated (112 in width and 112 in height) from the model'soutput.

One method to simulate this adversary is to let human subjects view allIR images and pick the ones that reveal the original input x'sinformation. However, this task is tedious and error-prone for humanbeings considering the quantity of IR images they need to inspect, andis also difficult to quantify the distance between x and IRs. Instead,the automated partitioning tool of the illustrative embodiments,replaces human subjects with another convolutional neural network thatautomatically assess all IR images and identifies the ones revealing themost input information at each layer. This approach is based on theinsight that if an IR image retains similar content as the input image,it will be classified into similar categories with the sameconvolutional network. By measuring the similarity of classificationresults, the automated partitioning tool can deduce whether a specificIR image is visually similar to its original input. End users canfurther leverage the assessment results to determine the optimalpartitioning points for different neural network architectures.

FIG. 3 is an example diagram illustrating a dual convolutional networkarchitecture for a neural network assessment framework of an automatedpartitioning tool in accordance with one illustrative embodiment. Asshown in FIG. 3, an input x 310 is submitted to the IR generationconvolutional network (IRGenNet) 320, which generates IR_(i)i ∈ [1, n].Each IR, contains multiple feature maps after passing Layer i (L_(i)).The feature maps are projected to IR images and submitted to the IRvalidation convolutional network (IRValNet) 330, which shares the samenetwork architecture/weights as the IRGenNet 320. The outputs of bothconvolutional networks 320 and 330 are N-dimensional (N is the number ofclasses) probability vectors with class scores.

In some illustrative embodiments, the Kullback-Leibler (KL) divergenceis used to measure the similarity of classification results, althoughother similarity metrics may be used without departing from the spiritand scope of the present invention. With the KL divergence, at eachLayer i, the IR image with the minimum KL divergence D_(KL) with theinput x is selected to quantitatively measure the dist[x, IR_(i)]:∀_(j)∈[1, filternum(Li)],

$\begin{matrix}{{{dist}\lbrack {x,{IR}_{i}} \rbrack} = {\min_{j}( {{D_{KL}( {{F^{*}( {x,\theta} )} {F^{*}( {{IR}_{ij},\theta} )} )} )} = {\min_{j}( {\sum\limits_{k}\;{{F^{*}( {x,\theta} )}_{k}\log\frac{{F^{*}( {x,\theta} )}_{k}}{{F^{*}( {{IR}_{ij},\theta} )}_{k}}}} )}} }} & (2)\end{matrix}$

where F*(., θ) is the representation function shared by both IRGenNet320 and IRValNet 330. To determine the optimal partitioning point foreach neural network, D_(KL)(F*(x, θ)∥μ) is computed where μ˜U(0, N), theuniform distribution of the probability vector and N is the number ofclasses. This represents that A1 has no prior knowledge of x beforeobtaining IRs and considers that x will be classified to all classeswith equal chance. Based on Eq. 1 above,

$\delta_{i} = \frac{{dist}\lbrack {x,{IR}_{i}} \rbrack}{D_{KL}( {{F^{*}( {x,\theta} )} \mu )} }$

may be computed and δ_(i) may be compared with the user-specified εbound. For example, if the user chooses ε=1, to avoid violatingε-privacy, it is safe to partition at Layer i only if δ_(i)>ε=1. It isworth noting that comparison with the uniform distribution with ε=1 is avery tight privacy bound for the information exposure. In the real-worldscenario, end users can relax the constraint to specify their specific ε∈[0, 1] bound to satisfy their privacy requirements.

Thus, in addition to the other privacy enhancing features of theillustrative embodiments, the illustrative embodiments further provide aneural network assessment framework and automated partitioning tool toassist end users is determining the optimal partitioning point at whichto partition a pre-trained model into a FrontNet subnet mode and aBackNet subnet model. The neural network assessment framework quantifiesthe privacy loss to help end users determine the optimal partitioninglayers for different neural network architectures.

As is apparent from the above description, the present inventionprovides a computer tool for improving the privacy of input data to adeep learning system. Thus, the illustrative embodiments may be utilizedin many different types of data processing environments. In order toprovide a context for the description of the specific elements andfunctionality of the illustrative embodiments, FIGS. 4 and 5 areprovided hereafter as example environments in which aspects of theillustrative embodiments may be implemented. It should be appreciatedthat FIGS. 4 and 5 are only examples and are not intended to assert orimply any limitation with regard to the environments in which aspects orembodiments of the present invention may be implemented. Manymodifications to the depicted environments may be made without departingfrom the spirit and scope of the present invention.

FIG. 4 depicts a pictorial representation of an example distributed dataprocessing system in which aspects of the illustrative embodiments maybe implemented. Distributed data processing system 400 may include anetwork of computers in which aspects of the illustrative embodimentsmay be implemented. The distributed data processing system 400 containsat least one network 402, which is the medium used to providecommunication links between various devices and computers connectedtogether within distributed data processing system 400. The network 402may include connections, such as wire, wireless communication links,satellite communication links, fiber optic cables, or the like.

In the depicted example, servers 404A-404C are connected to network 402along with storage unit 408. In addition, clients 410 and 412 are alsoconnected to network 402. These clients 410 and 412 may be, for example,personal computers, network computers, or the like. In the depictedexample, servers 404A-404C provide data, such as boot files, operatingsystem images, and applications to the clients 410-412. Clients 410-412are clients to a cloud computing system comprising server 404A, andpossibly one or more of the other server computing devices 404B-404C, inthe depicted example. Distributed data processing system 400 may includeadditional servers, clients, and other computing, data storage, andcommunication devices not shown.

In the depicted example, distributed data processing system 400 is theInternet with network 402 representing a worldwide collection ofnetworks and gateways that use the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite of protocols to communicatewith one another. At the heart of the Internet is a backbone ofhigh-speed data communication lines between major nodes or hostcomputers, consisting of thousands of commercial, governmental,educational and other computer systems that route data and messages. Ofcourse, the distributed data processing system 400 may also beimplemented to include a number of different types of networks, such asfor example, an intranet, a local area network (LAN), a wide areanetwork (WAN), or the like. As stated above, FIG. 4 is intended as anexample, not as an architectural limitation for different embodiments ofthe present invention, and therefore, the particular elements shown inFIG. 4 should not be considered limiting with regard to the environmentsin which the illustrative embodiments of the present invention may beimplemented.

As shown in FIG. 4, one or more of the computing devices, e.g., server404A, may be specifically configured to implement a deep learning cloudservice 400 which further implements a privacy enhancing deep learningcloud service framework 420, in accordance with one illustrativeembodiment. The configuring of the computing device may comprise theproviding of application specific hardware, firmware, or the like tofacilitate the performance of the operations and generation of theoutputs described herein with regard to the illustrative embodiments.The configuring of the computing device may also, or alternatively,comprise the providing of software applications stored in one or morestorage devices and loaded into memory of a computing device, such asserver 404A, for causing one or more hardware processors of thecomputing device to execute the software applications that configure theprocessors to perform the operations and generate the outputs describedherein with regard to the illustrative embodiments. Moreover, anycombination of application specific hardware, firmware, softwareapplications executed on hardware, or the like, may be used withoutdeparting from the spirit and scope of the illustrative embodiments.

It should be appreciated that once the computing device is configured inone of these ways, the computing device becomes a specialized computingdevice specifically configured to implement the mechanisms of theillustrative embodiments and is not a general purpose computing device.Moreover, as described hereafter, the implementation of the mechanismsof the illustrative embodiments improves the functionality of thecomputing device and provides a useful and concrete result thatfacilitates enhanced data and model privacy when using a deep learningcloud service by providing a trusted execution environmentimplementation and execution of a FrontNet subnet model of a DNN modelwithin the trusted execution environment on decrypted input.

As shown in FIG. 4, one or more of the servers 404A-404C are configuredto implement the deep learning cloud service 400 and privacy enhancingdeep learning cloud service framework 420 (hereafter referred to as the“framework” 420). While FIG. 4 shows elements 400 and 420 beingassociated with a single server, i.e. server 404A, it should beappreciated that a plurality of servers, e.g., 404A-404C, may togetherconstitute a cloud computing system and be configured to provide thedeep learning cloud service 400 implementing the framework 420 such thatthe mechanisms of the deep learning cloud service 400, including theframework 420 or portions thereof, and the processing pipeline(s) 405 orportions thereof, may be distributed across multiple server computingdevices 404A-404C. In some illustrative embodiments, multiple instancesof the deep learning cloud service 400, pipeline(s) 405, and framework420 may be provided on multiple different servers 404A-404C of the cloudcomputing system. The deep learning cloud service 400 may provide anydeep learning or AI based functionality of a deep learning system, anoverview of which, and examples of which, are provided hereafter.

In some illustrative embodiments, the deep learning cloud service 400may implement a cognitive computing system, or cognitive system. As anoverview, a cognitive system is a specialized computer system, or set ofcomputer systems, configured with hardware and/or software logic (incombination with hardware logic upon which the software executes) toemulate human cognitive functions. These cognitive systems applyhuman-like characteristics to conveying and manipulating ideas which,when combined with the inherent strengths of digital computing, cansolve problems with high accuracy and resilience on a large scale. Acognitive system performs one or more computer-implemented cognitiveoperations that approximate a human thought process as well as enablepeople and machines to interact in a more natural manner so as to extendand magnify human expertise and cognition. A cognitive system comprisesartificial intelligence logic, such as natural language processing (NLP)based logic, image analysis and classification logic, electronic medicalrecord analysis logic, etc., for example, and machine learning logic,which may be provided as specialized hardware, software executed onhardware, or any combination of specialized hardware and softwareexecuted on hardware. The logic of the cognitive system implements thecognitive operation(s), examples of which include, but are not limitedto, question answering, identification of related concepts withindifferent portions of content in a corpus, image analysis andclassification operations, intelligent search algorithms such asInternet web page searches, for example, medical diagnostic andtreatment recommendations and other types of recommendation generation,e.g., items of interest to a particular user, potential new contactrecommendations, or the like.

IBM Watson™ is an example of one such cognitive system which can processhuman readable language and identify inferences between text passageswith human-like high accuracy at speeds far faster than human beings andon a larger scale. In general, such cognitive systems are able toperform the following functions: navigate the complexities of humanlanguage and understanding; Ingest and process vast amounts ofstructured and unstructured data; generate and evaluate hypothesis;weigh and evaluate responses that are based only on relevant evidence;provide situation-specific advice, insights, and guidance; improveknowledge and learn with each iteration and interaction through machinelearning processes; enable decision making at the point of impact(contextual guidance); scale in proportion to the task; Extend andmagnify human expertise and cognition; identify resonating, human-likeattributes and traits from natural language; deduce various languagespecific or agnostic attributes from natural language; high degree ofrelevant recollection from data points (images, text, voice)(memorization and recall); predict and sense with situational awarenessthat mimic human cognition based on experiences; and answer questionsbased on natural language and specific evidence.

In one illustrative embodiment, a cognitive system, which may beimplemented as a cognitive cloud service 400, provides mechanisms foranswering questions or processing requests from client computingdevices, such as client computing device 410, via one or more processingpipelines 405. It should be appreciated that while a single pipeline 405is shown in FIG. 4, the present invention is not limited to such, and aplurality of processing pipelines may be provided. In such embodiments,the processing pipelines may be separately configured to apply differentprocessing to inputs, operate on different domains of content from oneor more different corpora of information from various sources, such asnetwork data storage 408, be configured with different analysis orreasoning algorithms, also referred to as annotators, and the like. Thepipeline 405 may process questions/requests that are posed in eithernatural language or as structured queries/requests in accordance withthe desired implementation.

The pipeline 405 is an artificial intelligence application executing ondata processing hardware that answers questions pertaining to a givensubject-matter domain presented in natural language or processesrequests to perform a cognitive operation on input data which may bepresented in natural language or as a structured request/query. Thepipeline 405 receives inputs from various sources including input over anetwork, a corpus of electronic documents or other data, data from acontent creator, information from one or more content users, and othersuch inputs from other possible sources of input. Data storage devices,such as data storage 408, for example, store the corpus or corpora ofdata. A content creator creates content in a document for use as part ofa corpus or corpora of data with the pipeline 405. The document mayinclude any file, text, article, or source of data for use in thecognitive system, i.e. the cognitive cloud service 400. For example, apipeline 405 accesses a body of knowledge about the domain, or subjectmatter area, e.g., financial domain, medical domain, legal domain, imageanalysis domain, etc., where the body of knowledge (knowledgebase) canbe organized in a variety of configurations, e.g., a structuredrepository of domain-specific information, such as ontologies, orunstructured data related to the domain, or a collection of naturallanguage documents about the domain.

In operation, the pipeline 405 receives an input question/request,parses the question/request to extract the major features of thequestion/request, uses the extracted features to formulate queries, andthen applies those queries to the corpus of data. Based on theapplication of the queries to the corpus of data, the pipeline 405generates a set of hypotheses, or candidate answers/results to the inputquestion/request, by looking across the corpus of data for portions ofthe corpus of data that have some potential for containing a valuableresponse to the input question/request. The pipeline 405 performs deepanalysis on the input question/request and the portions of the corpus ofdata found during the application of the queries using a variety ofreasoning algorithms. There may be hundreds or even thousands ofreasoning algorithms applied, each of which performs different analysis,e.g., comparisons, natural language analysis, lexical analysis, imageanalysis, or the like, and generates a score. For example, somereasoning algorithms may look at the matching of terms and synonymswithin the language of the input question and the found portions of thecorpus of data. Other reasoning algorithms may look at temporal orspatial features in the language, while others may evaluate the sourceof the portion of the corpus of data and evaluate its veracity. Stillfurther, some reasoning algorithms may perform image analysis so as toclassify images into one of a plurality of classes indicating the natureof the image.

The scores obtained from the various reasoning algorithms indicate theextent to which the potential response is inferred by the inputquestion/request based on the specific area of focus of that reasoningalgorithm. Each resulting score is then weighted against a statisticalmodel. The statistical model captures how well the reasoning algorithmperformed at establishing the inference between two similar inputs for aparticular domain during the training period of the pipeline 405. Thestatistical model is used to summarize a level of confidence that thepipeline 405 has regarding the evidence that the potential response,i.e. candidate answer/result, is inferred by the question/request. Thisprocess is repeated for each of the candidate answers/results until thepipeline 405 identifies candidate answers/results that surface as beingsignificantly stronger than others and thus, generates a finalanswer/result, or ranked set of answers/results, for the inputquestion/request.

As shown in FIG. 4, the deep learning cloud service 400 and itscorresponding processing pipeline(s) 405 implement a privacy enhancingdeep learning cloud service framework 420, or simply framework 420hereafter. The framework 420 may be invoked by one or more of thereasoning algorithms of the processing pipeline 405 when performing itsoperations for reasoning over the input question/request and/orprocessing input data associated with the input question/request. Forexample, in some illustrative embodiments, the framework 520 may beinvoked to assist with classifying input data into one of a plurality ofpredetermined classes using a deep learning neural network (DNN) model,for example. The result generated by the framework 420, e.g., a vectoroutput with probability values associated with each of the predeterminedclasses to thereby identify a classification of the input data, orsimply the final classification itself, may be provided back to theprocessing pipeline 405 for use in performing other deep learningoperations, examples of which have been noted above.

The framework 420 comprises a security engine 422, a trusted executionenvironment (TEE) 426 implementing a decryption engine 424, and anautomated partitioning tool 450 that implements a neural networkassessment framework as described previously. In addition, within theTEE 426, encrypted input data and an encrypted FrontNet subnet model aredecrypted by the decryption engine 424 to provide input data 440 andFrontNet subnet model 432. A BackNet subnet model 434 may be provided tothe framework 420 by a client computing device 410 for instantiation inthe framework 420. The security engine 422 provides the logic forperforming authentication, attestation, and exchange of security keyswith client computing devices 410, such as by way of establishing aTransport Layer Security (TLS) connection or other secure communicationconnection between the server 404A and the client computing device 410.

In operation, an end user of a client computing device 410 wishes toutilize the deep learning cloud service 400 to perform a deep learningoperation on input data, e.g., image analysis and classification, byproviding a pre-trained DNN model 430 and input data 440 to the deeplearning cloud service 400. In accordance with the illustrativeembodiments, in order to enhance the privacy of the end user's inputdata, the DNN model 430 is partitioned into a FrontNet subnet model 432and a BackNet subnet model 434. The partitioning of the DNN model 430may be performed manually by the end user, or may be performed in anautomated manner, such as by using an automated partitioning tool 450provided by the deep learning cloud service 400. That is, in oneillustrative embodiment, the client computing device 410 may log ontothe server 404A and access the deep learning cloud service 400,performing appropriate authentication and attestation operations,exchange of security keys, and the like. The end user of the clientcomputing device 410 may then request download of the automatedpartitioning tool 450 for execution on the local client computing device410 so as to determine the optimal partition point of the pre-trainedDNN model 430. The DNN model 430 may then be partitioned into FrontNetsubnet model 432 and BackNet subnet model 434 based on the determinedoptimal partition point, e.g., the particular hidden or middle layer ofthe DNN model 430 where the model should be partitioned.

Based on the exchanged security keys via the security engine 422, e.g.,symmetric keys, the client computing device 410 encrypts the FrontNetsubnet model 432 and provides the DNN model 430, comprising both theencrypted FrontNet subnet model 432 and the unencrypted BackNet subnetmodel 434, to the server 404A and deep learning cloud service 400. Theframework 420 of the deep learning cloud service 400 loads the encryptedFrontNet subnet model 432 into the TEE 426 where it is decrypted andused as a basis for instantiating a DNN implementation of the FrontNetsubnet model 432 executing within the TEE 426. The BackNet subnet model434 is instantiated in the framework 420 outside the TEE 426 as a DNNimplementation of the BackNet subnet model 434.

The client computing device 410 may then transmit encrypted input data,i.e. input data 440 encrypted using the exchanged security keys, to thedeep learning cloud service 400 for processing. As part of theprocessing, such as processing via the processing pipeline 405, the deeplearning cloud service 400 may invoke the framework 420 to process theencrypted input data that is received. The encrypted input data isloaded into the TEE 426 where it is decrypted by the decryption engine424 to generate the original input data 440. The input data 440 is inputto the FrontNet subnet model 432 DNN executing in the TEE 426 whichgenerates intermediate representations (IR) that are output to theBackNet subnet model 434. The BackNet subnet model 434 DNN thenprocesses the IR output from the FrontNet subnet model 432 DNN togenerate a classification output that is provided back to the deeplearning cloud service 400 and/or processing pipeline 405 for use inperforming a deep learning operation based on the input data. Results ofthe deep learning operation may then be returned to the client computingdevice 410. It should be appreciated that in this process, both theinput data 440 and the FrontNet subnet model 432 privacy are preservedas they are only decrypted within the TEE 426 and are not exposedoutside of the TEE 426.

As noted above, the mechanisms of the illustrative embodiments utilizespecifically configured computing devices, or data processing systems,to perform the operations for executing a portion of a DNN model withina trusted execution environment on encrypted input data which isdecrypted within the trusted execution environment. These computingdevices, or data processing systems, may comprise various hardwareelements which are specifically configured, either through hardwareconfiguration, software configuration, or a combination of hardware andsoftware configuration, to implement one or more of the systems and/orsubsystems described herein. FIG. 5 is a block diagram of just oneexample data processing system in which aspects of the illustrativeembodiments may be implemented. Data processing system 500 is an exampleof a computer, such as server 404 in FIG. 4, in which computer usablecode or instructions implementing the processes and aspects of theillustrative embodiments of the present invention may be located and/orexecuted so as to achieve the operation, output, and external effects ofthe illustrative embodiments as described herein.

In the depicted example, data processing system 500 employs a hubarchitecture including north bridge and memory controller hub (NB/MCH)502 and south bridge and input/output (I/O) controller hub (SB/ICH) 504.Processing unit 506, main memory 508, and graphics processor 510 areconnected to NB/MCH 502. Graphics processor 510 may be connected toNB/MCH 502 through an accelerated graphics port (AGP).

In the depicted example, local area network (LAN) adapter 512 connectsto SB/ICH 504. Audio adapter 516, keyboard and mouse adapter 520, modem522, read only memory (ROM) 524, hard disk drive (HDD) 526, CD-ROM drive530, universal serial bus (USB) ports and other communication ports 532,and PCI/PCIe devices 534 connect to SB/ICH 504 through bus 538 and bus540. PCI/PCIe devices may include, for example, Ethernet adapters,add-in cards, and PC cards for notebook computers. PCI uses a card buscontroller, while PCIe does not. ROM 524 may be, for example, a flashbasic input/output system (BIOS).

HDD 526 and CD-ROM drive 530 connect to SB/ICH 504 through bus 540. HDD526 and CD-ROM drive 530 may use, for example, an integrated driveelectronics (IDE) or serial advanced technology attachment (SATA)interface. Super I/O (SIO) device 536 may be connected to SB/ICH 504.

An operating system runs on processing unit 506. The operating systemcoordinates and provides control of various components within the dataprocessing system 500 in FIG. 5. As a client, the operating system maybe a commercially available operating system such as Microsoft® Windows10®. An object-oriented programming system, such as the Java™programming system, may run in conjunction with the operating system andprovides calls to the operating system from Java™ programs orapplications executing on data processing system 500.

As a server, data processing system 500 may be, for example, an IBMeServer™ System p® computer system, Power™ processor based computersystem, or the like, running the Advanced Interactive Executive (AIX)®operating system or the LINUX® operating system. Data processing system500 may be a symmetric multiprocessor (SMP) system including a pluralityof processors in processing unit 506. Alternatively, a single processorsystem may be employed.

Instructions for the operating system, the object-oriented programmingsystem, and applications or programs are located on storage devices,such as HDD 526, and may be loaded into main memory 508 for execution byprocessing unit 506. The processes for illustrative embodiments of thepresent invention may be performed by processing unit 506 using computerusable program code, which may be located in a memory such as, forexample, main memory 508, ROM 524, or in one or more peripheral devices526 and 530, for example.

A bus system, such as bus 538 or bus 540 as shown in FIG. 5, may becomprised of one or more buses. Of course, the bus system may beimplemented using any type of communication fabric or architecture thatprovides for a transfer of data between different components or devicesattached to the fabric or architecture. A communication unit, such asmodem 522 or network adapter 512 of FIG. 5, may include one or moredevices used to transmit and receive data. A memory may be, for example,main memory 508, ROM 524, or a cache such as found in NB/MCH 502 in FIG.5.

As mentioned above, in some illustrative embodiments the mechanisms ofthe illustrative embodiments may be implemented as application specifichardware, firmware, or the like, application software stored in astorage device, such as HDD 526 and loaded into memory, such as mainmemory 508, for executed by one or more hardware processors, such asprocessing unit 506, or the like. As such, the computing device shown inFIG. 5 becomes specifically configured to implement the mechanisms ofthe illustrative embodiments and specifically configured to perform theoperations and generate the outputs described herein with regard to thedeep learning cloud service implementing the privacy enhancing deeplearning cloud service framework and one or more processing pipelines.

Those of ordinary skill in the art will appreciate that the hardware inFIGS. 4 and 5 may vary depending on the implementation. Other internalhardware or peripheral devices, such as flash memory, equivalentnon-volatile memory, or optical disk drives and the like, may be used inaddition to or in place of the hardware depicted in FIGS. 4 and 5. Also,the processes of the illustrative embodiments may be applied to amultiprocessor data processing system, other than the SMP systemmentioned previously, without departing from the spirit and scope of thepresent invention.

Moreover, the data processing system 500 may take the form of any of anumber of different data processing systems including client computingdevices, server computing devices, a tablet computer, laptop computer,telephone or other communication device, a personal digital assistant(PDA), or the like. In some illustrative examples, data processingsystem 500 may be a portable computing device that is configured withflash memory to provide non-volatile memory for storing operating systemfiles and/or user-generated data, for example. Essentially, dataprocessing system 500 may be any known or later developed dataprocessing system without architectural limitation.

FIG. 6 is a flowchart outlining an example operation for configuring andutilizing a privacy enhancing deep learning cloud computing service inaccordance with one illustrative embodiment. As shown in FIG. 6, theoperation starts by performing an authentication of the end user,attestation, and security key exchange, such as via a TLS or othersecure communication connection between the deep learning cloud servicecomputing system and the end user's client computing device (step 610).The end user partitions their pre-trained DNN model into a FrontNetsubnet model and a BackNet subnet model (step 620). As noted above, thismay be performed manually or with the assistance of an automatedpartitioning tool which may be provided by the deep learning cloudservice to the client computing device for local execution, for example.

The FrontNet subnet model is encrypted using the security keys exchangedand uploaded to the deep learning cloud service framework (step 630).The deep learning cloud service framework loads the encrypted FrontNetsubnet model into a trusted execution environment (TEE), decrypts theFrontNet subnet model, and instantiates it as a DNN executing within theTEE (step 640). The unencrypted BackNet subnet model is uploaded to thedeep learning cloud service framework which instantiates it as a DNNexecuting outside the TEE (step 650).

The input data that is to be processed by the pre-trained DNN nowexecuting on the deep learning cloud service framework is encrypted anduploaded to the deep learning cloud service framework (step 660) whereit is loaded into the TEE, decrypted, and provided as input to theFrontNet subnet model DNN (step 670). The FrontNet subnet model DNNprocesses the decrypted input and generates an intermediaterepresentation (IR) (step 680) which is output to the BackNet subnetmodel DNN executing outside the TEE (step 690). The BackNet subnet modelDNN generates and outputs the final result of the processing of theinput data and provides the results back to the deep learning cloudservice for performance of additional deep learning operations (step695). The operation then terminates.

Thus, the illustrative embodiments provide a privacy enhancing deeplearning or AI cloud service framework that maintains the secrecy of anend user's input data by providing a trusted execution environment inwhich a portion of a pre-trained DNN executes on input data, both ofwhich are encrypted and not accessible in an unencrypted manner outsidethe TEE. It is to be understood that although this disclosure includes adetailed description of embodiments of the present invention beingimplemented on cloud computing systems, implementation of the teachingsrecited herein are not limited to a cloud computing environment. Rather,embodiments of the present invention are capable of being implemented inconjunction with any other type of computing environment now known orlater developed.

Cloud computing is a model of service delivery for enabling convenient,on-demand network access to a shared pool of configurable computingresources (e.g., networks, network bandwidth, servers, processing,memory, storage, applications, virtual machines, and services) that canbe rapidly provisioned and released with minimal management effort orinteraction with a provider of the service. This cloud model may includeat least five characteristics, at least three service models, and atleast four deployment models.

Characteristics of a cloud model are as follows:

(1) On-demand self-service: a cloud consumer can unilaterally provisioncomputing capabilities, such as server time and network storage, asneeded automatically without requiring human interaction with theservice's provider.

(2) Broad network access: capabilities are available over a network andaccessed through standard mechanisms that promote use by heterogeneousthin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

(3) Resource pooling: the provider's computing resources are pooled toserve multiple consumers using a multi-tenant model, with differentphysical and virtual resources dynamically assigned and reassignedaccording to demand. There is a sense of location independence in thatthe consumer generally has no control or knowledge over the exactlocation of the provided resources but may be able to specify locationat a higher level of abstraction (e.g., country, state, or datacenter).

(4) Rapid elasticity: capabilities can be rapidly and elasticallyprovisioned, in some cases automatically, to quickly scale out andrapidly released to quickly scale in. To the consumer, the capabilitiesavailable for provisioning often appear to be unlimited and can bepurchased in any quantity at any time.

(5) Measured service: cloud systems automatically control and optimizeresource use by leveraging a metering capability at some level ofabstraction appropriate to the type of service (e.g., storage,processing, bandwidth, and active user accounts). Resource usage can bemonitored, controlled, and reported, providing transparency for both theprovider and consumer of the utilized service.

Service Models are as follows:

(1) Software as a Service (SaaS): the capability provided to theconsumer is to use the provider's applications running on a cloudinfrastructure. The applications are accessible from various clientdevices through a thin client interface such as a web browser (e.g.,web-based e-mail). The consumer does not manage or control theunderlying cloud infrastructure including network, servers, operatingsystems, storage, or even individual application capabilities, with thepossible exception of limited user-specific application configurationsettings.

(2) Platform as a Service (PaaS): the capability provided to theconsumer is to deploy onto the cloud infrastructure consumer-created oracquired applications created using programming languages and toolssupported by the provider. The consumer does not manage or control theunderlying cloud infrastructure including networks, servers, operatingsystems, or storage, but has control over the deployed applications andpossibly application hosting environment configurations.

(3) Infrastructure as a Service (IaaS): the capability provided to theconsumer is to provision processing, storage, networks, and otherfundamental computing resources where the consumer is able to deploy andrun arbitrary software, which can include operating systems andapplications. The consumer does not manage or control the underlyingcloud infrastructure but has control over operating systems, storage,deployed applications, and possibly limited control of select networkingcomponents (e.g., host firewalls).

Deployment Models are as follows:

(1) Private cloud: the cloud infrastructure is operated solely for anorganization. It may be managed by the organization or a third party andmay exist on-premises or off-premises.

(2) Community cloud: the cloud infrastructure is shared by severalorganizations and supports a specific community that has shared concerns(e.g., mission, security requirements, policy, and complianceconsiderations). It may be managed by the organizations or a third partyand may exist on-premises or off-premises.

(3) Public cloud: the cloud infrastructure is made available to thegeneral public or a large industry group and is owned by an organizationselling cloud services.

(4) Hybrid cloud: the cloud infrastructure is a composition of two ormore clouds (private, community, or public) that remain unique entitiesbut are bound together by standardized or proprietary technology thatenables data and application portability (e.g., cloud bursting forload-balancing between clouds).

A cloud computing environment is service oriented with a focus onstatelessness, low coupling, modularity, and semantic interoperability.At the heart of cloud computing is an infrastructure that includes anetwork of interconnected nodes.

Referring now to FIG. 7, illustrative cloud computing environment 750 isdepicted. As shown, cloud computing environment 750 includes one or morecloud computing nodes 710 with which local computing devices used bycloud consumers, such as, for example, personal digital assistant (PDA)or cellular telephone 754A, desktop computer 754B, laptop computer 754C,and/or automobile computer system 754N may communicate. Nodes 710 maycommunicate with one another. They may be grouped (not shown) physicallyor virtually, in one or more networks, such as Private, Community,Public, or Hybrid clouds as described hereinabove, or a combinationthereof. This allows cloud computing environment 750 to offerinfrastructure, platforms and/or software as services for which a cloudconsumer does not need to maintain resources on a local computingdevice. It is understood that the types of computing devices 754A-Nshown in FIG. 7 are intended to be illustrative only and that computingnodes 710 and cloud computing environment 750 can communicate with anytype of computerized device over any type of network and/or networkaddressable connection (e.g., using a web browser).

Referring now to FIG. 8, a set of functional abstraction layers providedby cloud computing environment 750 (FIG. 7) is shown. It should beunderstood in advance that the components, layers, and functions shownin FIG. 8 are intended to be illustrative only and embodiments of theinvention are not limited thereto. As depicted, the following layers andcorresponding functions are provided:

(1) Hardware and software layer 860 includes hardware and softwarecomponents. Examples of hardware components include: mainframes 861;RISC (Reduced Instruction Set Computer) architecture based servers 862;servers 863; blade servers 864; storage devices 865; and networks andnetworking components 866. In some embodiments, software componentsinclude network application server software 867 and database software868.

(2) Virtualization layer 870 provides an abstraction layer from whichthe following examples of virtual entities may be provided: virtualservers 871; virtual storage 872; virtual networks 873, includingvirtual private networks; virtual applications and operating systems874; and virtual clients 875.

In one example, management layer 880 may provide the functions describedbelow. Resource provisioning 881 provides dynamic procurement ofcomputing resources and other resources that are utilized to performtasks within the cloud computing environment. Metering and Pricing 882provide cost tracking as resources are utilized within the cloudcomputing environment, and billing or invoicing for consumption of theseresources. In one example, these resources may include applicationsoftware licenses. Security provides identity verification for cloudconsumers and tasks, as well as protection for data and other resources.User portal 883 provides access to the cloud computing environment forconsumers and system administrators. Service level management 884provides cloud computing resource allocation and management such thatrequired service levels are met. Service Level Agreement (SLA) planningand fulfillment 885 provide pre-arrangement for, and procurement of,cloud computing resources for which a future requirement is anticipatedin accordance with an SLA.

Workloads layer 890 provides examples of functionality for which thecloud computing environment may be utilized. Examples of workloads andfunctions which may be provided from this layer include: mapping andnavigation 891; software development and lifecycle management 892;virtual classroom education delivery 893; data analytics processing 894;transaction processing 895; and deep learning cloud computing serviceprocessing 896. The deep learning cloud computing service processing 896may comprise the pipelines and enhanced privacy cloud computing serviceframework previously described above with regard to one or more of thedescribed illustrative embodiments.

As noted above, it should be appreciated that the illustrativeembodiments may take the form of an entirely hardware embodiment, anentirely software embodiment or an embodiment containing both hardwareand software elements. In one example embodiment, the mechanisms of theillustrative embodiments are implemented in software or program code,which includes but is not limited to firmware, resident software,microcode, etc.

A data processing system suitable for storing and/or executing programcode will include at least one processor coupled directly or indirectlyto memory elements through a communication bus, such as a system bus,for example. The memory elements can include local memory employedduring actual execution of the program code, bulk storage, and cachememories which provide temporary storage of at least some program codein order to reduce the number of times code must be retrieved from bulkstorage during execution. The memory may be of various types including,but not limited to, ROM, PROM, EPROM, EEPROM, DRAM, SRAM, Flash memory,solid state memory, and the like.

Input/output or I/O devices (including but not limited to keyboards,displays, pointing devices, etc.) can be coupled to the system eitherdirectly or through intervening wired or wireless I/O interfaces and/orcontrollers, or the like. I/O devices may take many different formsother than conventional keyboards, displays, pointing devices, and thelike, such as for example communication devices coupled through wired orwireless connections including, but not limited to, smart phones, tabletcomputers, touch screen devices, voice recognition devices, and thelike. Any known or later developed I/O device is intended to be withinthe scope of the illustrative embodiments.

Network adapters may also be coupled to the system to enable the dataprocessing system to become coupled to other data processing systems orremote printers or storage devices through intervening private or publicnetworks. Modems, cable modems and Ethernet cards are just a few of thecurrently available types of network adapters for wired communications.Wireless communication based network adapters may also be utilizedincluding, but not limited to, 802.11 a/b/g/n wireless communicationadapters, Bluetooth wireless adapters, and the like. Any known or laterdeveloped network adapters are intended to be within the spirit andscope of the present invention.

The description of the present invention has been presented for purposesof illustration and description, and is not intended to be exhaustive orlimited to the invention in the form disclosed. Many modifications andvariations will be apparent to those of ordinary skill in the artwithout departing from the scope and spirit of the describedembodiments. The embodiment was chosen and described in order to bestexplain the principles of the invention, the practical application, andto enable others of ordinary skill in the art to understand theinvention for various embodiments with various modifications as aresuited to the particular use contemplated. The terminology used hereinwas chosen to best explain the principles of the embodiments, thepractical application or technical improvement over technologies foundin the marketplace, or to enable others of ordinary skill in the art tounderstand the embodiments disclosed herein.

What is claimed is:
 1. A method, in a data processing system comprisingat least one processor and at least one memory, the at least one memorycomprising instructions that are executed by the at least one processorto configure the at least one processor to implement an enhanced privacydeep learning system framework, the method comprising: receiving, by theenhanced privacy deep learning system framework, from a client computingdevice, an encrypted first subnet model of a neural network, wherein thefirst subnet model is one partition of multiple partitions of the neuralnetwork; loading, by the enhanced privacy deep learning systemframework, the encrypted first subnet model into a trusted executionenvironment of the enhanced privacy deep learning system framework;decrypting, by the enhanced privacy deep learning system framework, thefirst subnet model within the trusted execution environment andexecuting the first subnet model within the trusted executionenvironment; receiving, by the enhanced privacy deep learning systemframework, encrypted input data from the client computing device;loading, by the enhanced privacy deep learning system framework, theencrypted input data into the trusted execution environment; anddecrypting and processing, by the enhanced privacy deep learning systemframework, the input data in the trusted execution environment using thefirst subnet model executing within the trusted execution environment.2. The method of claim 1, wherein the neural network is partitioned intoat least the first subnet model and a second subnet model, and whereinthe first subnet model is a FrontNet subnet model comprising an inputlayer of the neural network and one or more intermediate layers of theneural network model, and wherein the second subnet model is a BackNetsubnet model comprising an output layer of the neural network and one ormore intermediate layers of the neural network model.
 3. The method ofclaim 2, wherein a partition point in the neural network indicating alast intermediate layer to be included in the FrontNet subnet model isselected as an intermediate layer whose intermediate representationoutput does not contain sensitive information corresponding to an inputto the neural network, and wherein subsequent intermediate layers andthe output layer of the neural network are included in the BackNetsubnet model.
 4. The method of claim 2, wherein the neural network ispartitioned automatically using an automated partitioning tool thatidentifies an optimal partition point in the neural network at which topartition the neural network, wherein the optimal partition pointidentifies an intermediate layer at which to partition the neuralnetwork.
 5. The method of claim 1, wherein the processing of the inputdata in the trusted execution environment using the first subnet modelexecuting within the trusted execution environment generates one or moreintermediate representations of processing of the input data, andwherein the method further comprises: inputting the one or moreintermediate representations into a second subnet model of the neuralnetwork; processing the one or more intermediate representations togenerate result data; and outputting the result data.
 6. The method ofclaim 5, wherein the second subnet model executes outside the trustedexecution environment.
 7. The method of claim 5, wherein the result datais a N-dimensional real-value vector that represents a probabilitydistribution over N different possible classes, and wherein the methodfurther comprises selecting a top-k classes with correspondingprobability values from the N-dimensional real-value vector, to returnto the client computing device.
 8. The method of claim 5, wherein theresult data is output to a deep learning system to perform a deeplearning operation based on the result data.
 9. The method of claim 8,wherein the deep learning operation is a deep learning image recognitionoperation, the input data is an input image, and the result data is aclassification of the input image into one of a plurality of predefinedclasses.
 10. The method of claim 1, wherein the trusted executionenvironment prevents access to the decrypted first subnet model anddecrypted input data from outside the trusted execution environment. 11.A computer program product comprising a computer readable storage mediumhaving a computer readable program stored therein, wherein the computerreadable program, when executed on a data processing system, causes thedata processing system to implement an enhanced privacy deep learningsystem framework that is configured to: receive from a client computingdevice, an encrypted first subnet model of a neural network, wherein thefirst subnet model is one partition of multiple partitions of the neuralnetwork; load the encrypted first subnet model into a trusted executionenvironment of the enhanced privacy deep learning system framework;decrypt the first subnet model within the trusted execution environmentand execute the first subnet model within the trusted executionenvironment; receive encrypted input data from the client computingdevice; load the encrypted input data into the trusted executionenvironment; and decrypt and process the input data in the trustedexecution environment using the first subnet model executing within thetrusted execution environment.
 12. The computer program product of claim11, wherein the neural network is partitioned into at least the firstsubnet model and a second subnet model, and wherein the first subnetmodel is a FrontNet subnet model comprising an input layer of the neuralnetwork and one or more intermediate layers of the neural network model,and wherein the second subnet model is a BackNet subnet model comprisingan output layer of the neural network and one or more intermediatelayers of the neural network model.
 13. The computer program product ofclaim 12, wherein a partition point in the neural network indicating alast intermediate layer to be included in the FrontNet subnet model isselected as an intermediate layer whose intermediate representationoutput does not contain sensitive information corresponding to an inputto the neural network, and wherein subsequent intermediate layers andthe output layer of the neural network are included in the BackNetsubnet model.
 14. The computer program product of claim 12, wherein theneural network is partitioned automatically using an automatedpartitioning tool that identifies an optimal partition point in theneural network at which to partition the neural network, wherein theoptimal partition point identifies an intermediate layer at which topartition the neural network.
 15. The computer program product of claim11, wherein the processing of the input data in the trusted executionenvironment using the first subnet model executing within the trustedexecution environment generates one or more intermediate representationsof processing of the input data, and wherein the method furthercomprises: inputting the one or more intermediate representations into asecond subnet model of the neural network; processing the one or moreintermediate representations to generate result data; and outputting theresult data.
 16. The computer program product of claim 15, wherein thesecond subnet model executes outside the trusted execution environment.17. The computer program product of claim 15, wherein the result data isa N-dimensional real-value vector that represents a probabilitydistribution over N different possible classes, and wherein the methodfurther comprises selecting a top-k classes with correspondingprobability values from the N-dimensional real-value vector, to returnto the client computing device.
 18. The computer program product ofclaim 15, wherein the result data is output to a cognitive system toperform a cognitive operation based on the result data.
 19. The computerprogram product of claim 18, wherein the cognitive operation is acognitive image recognition operation, the input data is an input image,and the result data is a classification of the input image into one of aplurality of predefined classes.
 20. A system, comprising: at least oneprocessor; and at least one memory coupled to the at least oneprocessor, wherein the at least one memory comprises instructions which,when executed by the at least one processor, cause the at least oneprocessor to implement an enhanced privacy deep learning systemframework that is configured to: receive from a client computing device,an encrypted first subnet model of a neural network, wherein the firstsubnet model is one partition of multiple partitions of the neuralnetwork; load the encrypted first subnet model into a trusted executionenvironment of the enhanced privacy deep learning system framework;decrypt the first subnet model within the trusted execution environmentand execute the first subnet model within the trusted executionenvironment; receive encrypted input data from the client computingdevice; load the encrypted input data into the trusted executionenvironment; and decrypt and process the input data in the trustedexecution environment using the first subnet model executing within thetrusted execution environment.